npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

@iherman/minicrypto

v0.5.1

Published

Set of functions that can be used to perform basic cryptographic functions hiding all the intricacies of WebCrypto.

Downloads

19

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

ihermaniherman

Keywords

Readme

NOT FINAL, DO NOT USE IT FOR CRITICAL APPLICATIONS

Simple interface to crypto

This package contains a set of functions that can be used to perform some basic cryptographic functions on top of the WebCrypto API standard, without getting into all the intricacies required by that API (or other, similar packages). Obviously, some of the more complex options are not available; goal is to provide an interface to the simplest usages.

The interface functions are as follows.

Key generation

The functions can be used to generate a private/public (also referred to as secret/public) keys. The package gives an option among four different asymmetric cryptographic key types:

  1. Elliptic Curve Digital Signature Algorithm (ECDSA)[1]: widely used cryptographic method to sign/verify data. It has two "versions": P-256 and P-384[2]. The latter is more secure, but the keys and the signatures are longer. These keys are usable for sign and verify.
  2. Edwards-Curve Digital Signature Algorithm (EdDSA)[3] (also referred to as Ed25519): more recent than ECDSA, it has a somewhat simpler structure. Usable to sign/verify.
  3. RSA-PSS: an RSA variant used for sign/verify. The downside is that the keys and signatures are (sometimes significantly) longer than for EdDSA or ECDSA.
  4. RSA-OAEP: RSA variant used for encrypt/decrypt. Note that, in this package, that is the only key that can be used for encryption and decryption (but cannot be used for sign/verify).

A key pair is either stored as

  • (Binary) CryptoKeyPair, i.e., a pair of key stored in the native, binary format of the WebCrypto API implementation.
  • WKKeyPair, i.e., a pair of key stored in JSON Web Key that conforms to RFC7517. The keys are relatively large JSON structures; advantage is that they can be managed easily by JSON tools.
  • Multikey, i.e., a pair of key stored in Multibase. The key data are encoded as strings and are therefore fairly opaque, but are extremely compact. Note that RSA keys cannot be stored in this format (there is no specification for this).

The coding examples (see the API documentation for details):

// Simple key generation
import { generateKeysJWK, generateKeysMK } from "@iherman/minicrypto";

const keyPairEdDSACrypto = await generateKeys("eddsa");

// Alternatively generate keys in JWK and Multikey formats.
const keyPairEdDSAJWK = await generateKeysJWK("eddsa");
const keyPairECDSAMK = await generateKeysMK("ecdsa");

// ECDSA Keys using P-384
const keyPairECDSAMK384 = await generateKeysMK("ecdsa", {namedCurve: "P-384"});

// RSA Keys generated with a larger modulus (larger key, more secure) for signature/verification
const keyPairRSAPSS = await generateKeysJWK("rsa-pss", {modulusLength: 4096});  // Default is 2048

// RSA Keys for encryption/decryption, using the default modulus length
const keyPairRSAOAEP = await generateKeys("rsa-oaep");

Signature/verification

The keys can be used to sign a string message and to verify the signature. The signature itself is encoded as base64 (more precisely, base-64-url-no-pad) or base58 encoding (more precisely, base-58-btc) and, optionally, stored as a Multibase string. By default, if the key is in JWK or using the binary format, the signature is generated as a plain, base64 string. If the key is Multikey/Multibase, then by default the signature is stored as a Multibase, base58 string. Other combinations must be set explicitly.

Note that the sign and verify functions accept the keys in any formats, i.e., as pairs or as individual keys (private or secret, depending on the function). The only exception is that the sign function requires a full Multikey, the (Multibase encoded) secret key by itself is not accepted.

The coding examples (see the API for details):

import { sign, verify } from "@iherman/minicrypto";

const message = "This is the string to be signed";

// Signature stored as plain base64
const signature64: string = await sign(message, keyPairRSAPSS);
const isValid64: boolean = await verify(message, signature, keyPairRSAPSS.publicKeyJwk);

// Signature stored as multibase base58
const signature58: string = await sign(message, keyPairECDSAMK);
const isValid58: boolean = await verify(message, signature, keyPairECDSAMK.publicKeyMultibase);

Encryption/decryption

By default, if the key is in JWK, the ciphertext is generated as a plain, base64 string. Other combinations must be set explicitly.

import { encrypt, decrypt } from "@iherman/minicrypto";

const message2 = "This is the string to be encrypted";

// Signature stored as plain base64
const ciphertext64: string = await encrypt(message2, keyPairRSAOAEP.publicKey);

// Signature stored as multibase base58
const ciphertext58: string = await encrypt(message2, keyPairRSAOAEP.publicKey, {encoding: "base58", format: "multibase"});

// Decrypt a ciphertext stored in multibase. Note that the encoding field is not required, it is automatically recognized
const message2_decrypted: string = await decrypt(ciphertext58, keyPairRSAOAEP.privateKey, {format: "multibase"});

Miscellaneous functions

Hashing

Very frequently used for various type of data. There are many hash functions around, the most widely used these days is "SHA-256", with "SHA-384" as a more secure alternative.

import { hash } from "@iherman/minicrypto";

const message = "This is the string to be hashed";

const hash_256 = await hash(message)              
const hash_384 = await hash(message, "SHA-384");  // Default is SHA-256

Key conversions

The package contains some functions to convert JWK keys or key pairs to and from their binary equivalents. For the sake of convenience, ths package also re-exports similar functions for Multikeys and Multibase, though it is implemented by a different, underlying package called multikey-webcrypto.

  1. FIPS PUB 186-5: Digital Signature Standard (DSS). U.S. Department of Commerce/National Institute of Standards and Technology. 3 February 2023. National Standard. URL: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf
  2. Recommendations for Discrete Logarithm-based Cryptography: Elliptic Curve Domain Parameters. Lily Chen; Dustin Moody; Karen Randall; Andrew Regenscheid; Angela Robinson. National Institute of Standards and Technology. February 2023.
  3. FIPS PUB 186-5: Digital Signature Standard (DSS). U.S. Department of Commerce/National Institute of Standards and Technology. 3 February 2023. National Standard. URL: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf